[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended)



Hello Full Disclosure,

The following publicly available research describes a Bluetooth attack against 
Samsung Galaxy Buds that leverages connection arbitration behavior between HFP 
and A2DP profiles to preempt an active audio session.

Title:

Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption
Exploiting Seamless Earbud Connection Arbitration to Bypass Pairing Trust 
Boundaries

According to the published research, an attacker within Bluetooth range can 
force a transition of the active audio session to an attacker-controlled device 
without requiring user interaction or. The writeup argues that this behavior 
crosses expected trust boundaries associated with paired devices and may allow 
unauthorized audio routing or session takeover under certain conditions.

The author states that the issue was reported to Samsung and that Samsung 
ultimately classified the observed behavior as "working as intended."

Original publication:

Gist:

https://gist.github.com/mroldguy/98c77d25a3e01d6d966523dac353af86

Original:

https://paste.rs/UkBmF.md

Archived copy:

https://archive.is/6KXIp

Summary of the claims made in the publication:

-  Affects Samsung Galaxy Buds devices.
-  Relies on Bluetooth Classic profile behavior involving HFP and A2DP 
connection management.
-  Described as a zero-click attack requiring no user approval during takeover.
-  Does not require compromise of the target phone.
-  Reportedly allows an attacker within radio range to preempt an active 
session and become the active audio endpoint.
-  Vendor response is reported as "working as intended."

Interested readers should consult the original publication for technical 
details, proof-of-concept material, disclosure timeline, testing methodology, 
and limitations.

I am not the author of this research. This message is a reference to an 
already-public disclosure and is being forwarded for awareness and archival 
purposes.

Regards,

Anonymous (490h3fqwomf[)](mailto:490h3fqwomf@xxxxxxxxx)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/